Massive Chinese Botnet of 130,000 Devices Targets Microsoft 365 Accounts

A powerful China-linked botnet has been caught launching large-scale password spraying attacks against Microsoft 365 accounts, putting businesses and organizations at serious risk. According to SecurityScorecard, this botnet is fueled by a staggering 130,000 compromised devices, making it one of the largest cyber threats of its kind.
Table of Contents
How the Attack Works
This botnet exploits non-interactive sign-ins and Basic Authentication, two weak points in Microsoft 365 security that allow attackers to test stolen credentials without triggering multi-factor authentication in many configurations.
Non-interactive sign-ins are often used for service-to-service authentication and legacy protocols such as POP, IMAP, and SMTP, making them less scrutinized by security teams. Basic Authentication, though being deprecated by Microsoft, is still active in some environments, allowing credentials to be transmitted in plaintext—an easy target for hackers.
The botnet takes stolen usernames and passwords, often gathered by infostealer malware, and systematically tests them against Microsoft 365 accounts. If successful, attackers gain access to sensitive data, disrupt business operations, and move laterally within an organization.
Why This Attack Is Hard to Detect
One of the scariest aspects of this attack is its stealth. Since password spraying attempts are logged under non-interactive sign-ins, many security teams fail to monitor these records closely. This allows attackers to slip under the radar while they systematically try to break into accounts.
SecurityScorecard also identified command and control servers in the United States, which were communicating with 130,000 infected devices over a four-hour period. These devices, likely part of a larger global network, enable the attackers to scale their operations rapidly.
Who’s Behind the Botnet?
While the attack has been linked to a Chinese threat group, attribution remains an ongoing investigation. However, this botnet shares characteristics with previously identified Chinese cyber-espionage campaigns.
Notably, Microsoft reported in October 2024 that multiple Chinese threat actors were using stolen credentials from a large-scale password spraying operation. This campaign was associated with compromised networks known as CovertNetwork-1658, Xlogin, and Quad7.
How to Protect Your Organization
With this botnet actively targeting Microsoft 365 accounts, organizations must take immediate steps to strengthen their security:
- Disable Basic Authentication if it is still enabled in your environment.
- Enable Modern Authentication and multi-factor authentication for all users, especially for non-interactive sign-ins.
- Monitor non-interactive sign-in logs regularly for unusual login patterns.
- Use strong, unique passwords to prevent password spraying by implementing strict password policies and enforcing regular changes.
- Deploy endpoint security solutions to protect against infostealer malware that hackers use to gather credentials.
- Geo-restrict access to Microsoft 365 accounts if possible, limiting logins based on geographic locations.
Final Thoughts
The 130,000-device botnet targeting Microsoft 365 is a stark reminder that password-based attacks are still one of the biggest cybersecurity threats today. With many organizations still relying on outdated authentication methods, attackers continue to exploit these weaknesses.
By proactively securing Microsoft 365 environments, monitoring unusual activity, and enforcing strong authentication policies, businesses can reduce their risk of falling victim to this highly sophisticated attack.